[Samba] Problems with Samba 4.5.16 - configuring a second failover AD DC and joining this to an existing domain SAMDOM

Stephen stephen at ogdenradar.com
Fri Mar 22 17:39:02 UTC 2019 

Rowland - good news - the instructions in that document you suggested 
appear to have made all the difference!

Now I find that if I do:

pi at ad2:~ $ sudo systemctl restart samba-ad-dc

pi at ad2:~ $ sudo samba-tool drs showrepl
Default-First-Site-Name\AD2
DSA Options: 0x00000001
DSA object GUID: e676dfc3-670d-46bb-b1f7-756bae990a30
DSA invocationId: b7fb9a73-a5c5-4672-9d0f-83e0323f9f3b

==== INBOUND NEIGHBORS ====

CN=Configuration,DC=samdom,DC=example,DC=com
         Default-First-Site-Name\AD1 via RPC
                 DSA object GUID: a021ecef-e1f1-41ea-9787-9c3678f25e4a
                 Last attempt @ Fri Mar 22 17:11:56 2019 GMT was successful
                 0 consecutive failure(s).
                 Last success @ Fri Mar 22 17:11:56 2019 GMT

DC=DomainDnsZones,DC=samdom,DC=example,DC=com
         Default-First-Site-Name\AD1 via RPC
                 DSA object GUID: a021ecef-e1f1-41ea-9787-9c3678f25e4a
                 Last attempt @ Fri Mar 22 17:11:55 2019 GMT was successful
                 0 consecutive failure(s).
                 Last success @ Fri Mar 22 17:11:55 2019 GMT

CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=com
         Default-First-Site-Name\AD1 via RPC
                 DSA object GUID: a021ecef-e1f1-41ea-9787-9c3678f25e4a
                 Last attempt @ Fri Mar 22 17:11:57 2019 GMT was successful
                 0 consecutive failure(s).
                 Last success @ Fri Mar 22 17:11:57 2019 GMT

DC=ForestDnsZones,DC=samdom,DC=example,DC=com
         Default-First-Site-Name\AD1 via RPC
                 DSA object GUID: a021ecef-e1f1-41ea-9787-9c3678f25e4a
                 Last attempt @ Fri Mar 22 17:11:56 2019 GMT was successful
                 0 consecutive failure(s).
                 Last success @ Fri Mar 22 17:11:56 2019 GMT

DC=samdom,DC=example,DC=com
         Default-First-Site-Name\AD1 via RPC
                 DSA object GUID: a021ecef-e1f1-41ea-9787-9c3678f25e4a
                 Last attempt @ Fri Mar 22 17:11:57 2019 GMT was successful
                 0 consecutive failure(s).
                 Last success @ Fri Mar 22 17:11:57 2019 GMT

==== OUTBOUND NEIGHBORS ====

CN=Configuration,DC=samdom,DC=example,DC=com
         Default-First-Site-Name\AD1 via RPC
                 DSA object GUID: a021ecef-e1f1-41ea-9787-9c3678f25e4a
                 Last attempt @ NTTIME(0) was successful
                 0 consecutive failure(s).
                 Last success @ NTTIME(0)

DC=DomainDnsZones,DC=samdom,DC=example,DC=com
         Default-First-Site-Name\AD1 via RPC
                 DSA object GUID: a021ecef-e1f1-41ea-9787-9c3678f25e4a
                 Last attempt @ Fri Mar 22 17:11:46 2019 GMT was successful
                 0 consecutive failure(s).
                 Last success @ Fri Mar 22 17:11:46 2019 GMT

CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=com
         Default-First-Site-Name\AD1 via RPC
                 DSA object GUID: a021ecef-e1f1-41ea-9787-9c3678f25e4a
                 Last attempt @ NTTIME(0) was successful
                 0 consecutive failure(s).
                 Last success @ NTTIME(0)

DC=ForestDnsZones,DC=samdom,DC=example,DC=com
         Default-First-Site-Name\AD1 via RPC
                 DSA object GUID: a021ecef-e1f1-41ea-9787-9c3678f25e4a
                 Last attempt @ NTTIME(0) was successful
                 0 consecutive failure(s).
                 Last success @ NTTIME(0)

DC=samdom,DC=example,DC=com
         Default-First-Site-Name\AD1 via RPC
                 DSA object GUID: a021ecef-e1f1-41ea-9787-9c3678f25e4a
                 Last attempt @ NTTIME(0) was successful
                 0 consecutive failure(s).
                 Last success @ NTTIME(0)

==== KCC CONNECTION OBJECTS ====

Connection --
         Connection name: c2f83b11-0d06-41d3-b6c1-438ae935852c
         Enabled        : TRUE
         Server DNS name : ad1.samdom.example.com
         Server DN name  : CN=NTDS 
Settings,CN=AD1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
                 TransportType: RPC
                 options: 0x00000001
Warning: No NC replicated for Connection!

Notice now crucially that the *outbound section here in this output is 
now fully completed whereas it was empty previously*. My manual testing 
suggests that newly created accounts replicate from ad2 to ad1 following 
this change successfully.
It looks like later versions of Samba setup these additional CNAME DNS 
records behind the scenes whereas 4.5 on my Pi seems to requires these 
additional incantations and goat sacrifice to make things work 
successfully. C`est la vie.

Happily, the change you have suggested there also appears to have also 
cascaded to the AD SRV records on both DCs which was the other question 
I was going to ask.

pi at ad1:~ $ host -t SRV _kerberos._udp.samdom.example.com
_kerberos._udp.samdom.example.com has SRV record 0 100 88 
ad1.samdom.example.com.
_kerberos._udp.samdom.example.com has SRV record 0 100 88 
ad2.samdom.example.com.

pi at ad1:~ $ host -t SRV _ldap._tcp.samdom.example.com
_ldap._tcp.samdom.example.com has SRV record 0 100 389 
ad1.samdom.example.com.
_ldap._tcp.samdom.example.com has SRV record 0 100 389 
ad2.samdom.example.com.


Thanks once again for your help its very much appreciated!

Kind Regards
Stephen Ellwood

More information about the samba mailing list